If you’ve ever raged against those quivering pop-up ads that state, in no uncertain terms, that your computer is infected with a virus, you may rest assured. You have a champion in the US Federal Trade Commission.

The business watchdog said on Tuesday that a US federal court has imposed a judgment of more than $163 million against a defendant in a case brought against purveyors of so-called "scareware" programs designed to trick internet users into believing their computer is infected.

The FTC announced the huge settlement in its three year-old case against Innovative Marketing Inc. (IMI) and Kristy Ross, a former officer of the company. In addition to the financial reward on behalf of more than a million US consumers who fell for the scam, the court order bars Ross from selling computer security software or other software that interferes with computer owners’ use of their system.

Scareware is one of the most common forms of nuisance software on the internet. It runs the gamut from the malicious - rogue anti-virus software that uses SEO optimized web pages and drive-by download attacks to infect vulnerable computers - to the merely suspicious.

As Naked Security has reported, authorities have taken a tougher stance against both malicious and nuisance scareware in recent months, with major crack-downs and lawsuits against those who peddle and promote the scammy software.

The case against IMI and Ross stems from a 2008 complaint filed by the FTC against Ross and six other defendants, who were charged with a widespread campaign of deceptive advertising that tricked more than a million unwitting computer users into purchasing software to remove fictitious malware infections alleged by IMI and ByteHosting Internet Services LLC.

According to the FTC complaint, the companies operated for six years selling a wide range of web-based anti-virus and anti-spyware software with names like “WinFixer", "WinAntiVirus" and "ComputerShield”, as well as Windows registry cleaners.

To promote their wares, the companies circulated ads through established online ad networks that displayed the now-infamous “system scan” warnings that invariably detected one or more malicious files and programs on consumers’ computers.

The bogus “scans” urged consumers to buy the defendants’ software for $40 to $60 to clean off the malware, the FTC said.

The business was lucrative, netting the defendants tens of millions of dollars as IMI grew to employ around 600 employees. But the use of sham “system scans” and other deceptive advertisements was a violation of the US Federate Trade Commission Act.

Of the six defendants initially charged, three settled with the FTC while two, Sam Jain and Daniel Sundin of IMI, skipped town and are currently fugitives. That left Ross, who argued – unsuccessfully – that she was a low level employee who had no knowledge of IMI’s online marketing program.

However, extensive chat logs from IMI that showed Ross purchasing ads on networks such as MyGeek, and her managing the huge volume of complaints from irate users over the behavior of the ads suggested she was more than a functionary and had clear knowledge of IMI’s marketing practices.

In the end, she was tried in absentia and pleaded the Fifth Amendment to avoid incriminating herself. After a brief trial, she was found guilty and ordered to pay restitution to the government of $163 million (a figure derived from an estimate of the number of victims and the cost of purchasing) and rid systems of IMI’s software.

"...she was found guilty and ordered to pay restitution to the government of $163 million..."

It's not clear who's actually getting paid here. Earlier in the article it says that the $163 million judgment is a "reward on behalf of more than a million US consumers who fell for the scam", which implies that the victims are going to receive restitution for the money the crooks stole from them.

That would be proper, if that's what's actually going to happen. I hope you're not saying that the state is going to keep the money. That would be a case of transferring the booty from one group of thieves to another.

Maybe I never installed it, but I have to wonder, how much I might be compensated for all the times I had to force close my browser when I encountered it. My lost time, My possible lost work product, etc. Oh, and I bill at $2,500 per hour. What amount do I get, FTC?

Downside of this is that most of their funds are put into anonymous holding accounts that are very difficult to trace. Then they'll set up a limited liability company (or a bunch of them) and put them into liquidation if they get caught. That way, even if the FTC asks for $100m+, they can't actually get it. The companies were worthless and the individuals that ran them can only have their possessions taken - which they'll quickly re-buy with their undeclared funds. Yes, it hurts the con artists, but it's not anywhere near as devastating as you might initially expect.

Yes, I know, the media loves to throw the word "hacker" around a lot, since it's their favourite buzzword after "cyber". Most modern tech journalists are not in the business of actually reporting the news, they're in the business of repackaging the news for maximum clicks and advertising revenue.

Hackers, traditionally, were people who modified technology to suit their own means. This could be the hardware hacker that mods his Wii controller to also work as a TV remote, or the software hacker that alters some open-source software to do something useful for his specific job. However, the term more commonly (these days at least) refers to someone that breaks into computer systems. The meaning of words change, and I accept that.

What I will not accept is the vilification of the word "hacker". There is a huge legitimate business (often termed Information Security, or Infosec) around hacking. It's been going on for decades. The people who pioneered anti-malware systems were hackers. The people who constantly test their company networks for security vulnerabilities are hackers. The people who discover and report software bugs and website security holes to vendors are hackers. They do more good and have prevented more catastrophes than you could possibly imagine.

So next time you consider using hacker as a pejorative term, think about what I've said here.

The word hacker can correctly be used as a pejorative term. I will continue to use it as a pejorative.

As per the current editions of the Oxford American and Merriam-Webster dictionaries, a hacker is a person who illegally or without authorization gains access to, and sometimes tampers with, information in a computer system. See definitions, below.

A. Source: Merriam-Webster dictionary, 2012 (online)

hack-er

noun

Definition of HACKER

1: one that hacks

2 : a person who is inexperienced or unskilled at a particular activity <a tennis hacker>

3 : an expert at programming and solving problems with a computer

4: a person who illegally gains access to and sometimes tampers with information in a computer system

They'll just find some other scam to pull on users. So long as users are happy being ignorant and blithely click on every link they see, someone will keep finding ways to get their money away from them.

Neither fines nor jail time is going to stop this kind of fraud. Fines only enrich the coffers of corrupt politicians and bureaucrats, and jail is a free ride at taxpayers' expense. Haven't the criminals already cost society enough money?

If you really want to stop this kind of scumbaggery, make the criminals restore all the losses they cause, and pay the costs of ensuring that such restitution actually gets paid. If bozos (and bozettes like Ms. Ross) end up working their wicked little asses off for the rest of their lives to cover the damage they cost, THAT will be a far more effective deterrent than jail time.

I think a better alternative is to give them a year's suspended sentence, fine them, then ban them from ever using a computer for the next 15 years, every registering their own company, or working in any job position that involves marketing.

That has the following effects:

1) They'll have the immediate consequence of a suspended sentence.
2) They won't be able to get anything but the most menial job.
3) They won't be able to set up any adverts.
4) They will not be able to use computers, smartphones, etc. that these people usually crave.
5) They're suffering the ultimate humiliation of paying for the enforcement of their own punishment.

I'm going to take the pessimistic viewpoint. Harsh fines, draconian laws and jail sentences tend to do one thing and that is force crime to become organised (cheap shot but prohibition didn't work and empowered the 'mob').
Indeed that seems to be the case. 'Online Crime' wasn't really that scary a few years back other than it was new to those not versed in IT. Now the various 'legitimate business men's clubs' have cottoned onto the potential profits involved and that turns this lil black ducks hair greyer than it already is!
'shoot em in the back of the head' be my guest, I'd rather not go toe to toe with your average heavy :/

About the author

Paul is a Boston-based reporter and industry analyst with more than a decade of experience covering the IT industry, cyber security and hacking. His work has appeared on threatpost.com, The Boston Globe, salon.com, NPR's Marketplace, Fortune Small Business, as well as industry publications including ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. Paul got his 15 minutes as an expert guest on The Oprah Show - but that's a long story.